AWS Cloud Operations Blog

New: AWS CloudTrail Lake Event Enrichment: Add Business Context to AWS Activity Logs

AWS customers use AWS CloudTrail Lake to aggregate and analyze their AWS activity for security, operational troubleshooting, and compliance purposes. However, when investigating security incidents or conducting compliance audits, customers often need additional business context beyond the basic event details – like which team or project owns the affected resources, or what where the properties of the IAM principal that made changes to the resources.

Today, we’re excited to announce a new enhancement to CloudTrail Lake: Event enrichment which makes it easier to categorize, search, and analyze your AWS activity. With event enrichment, you can now enrich your CloudTrail management and data events with additional information relevant to your business context. You can append resource tags and select AWS global condition keys to your events, making it easy to categorize, search, and analyze your AWS activity. You can easily create application-specific activity reports using the resource tags in CloudTrail events or view all your AWS API activity based on the properties of the IAM principal.

Let’s look at a common scenario, a security team needs to investigate unusual activity for files within a Amazon S3 bucket in their AWS environment. The basic CloudTrail event shows which API was called and by which IAM principal, but doesn’t provide crucial business context like:

  • Which application or team owned the resources
  • What type of environment (prod/test/dev) was affected
  • What type of data classification did the resource have

This forces the team to manually correlate information across multiple systems to understand the full context of the activity. Event enrichment solves this by incorporating resource tags and IAM global condition keys into your CloudTrail events at the time they are recorded.

In this blog post, we’ll explore how to use this new feature to help monitor changes to sensitive files within your S3 bucket. Will also show how you can then build visualizations and dashboards based on this activity to help improve your security and compliance workflows.

Prerequisites

The following sample queries used in this blog for CloudTrail Event enrichment requires that you have an existing CloudTrail Lake event data store and Amazon S3 resources.

Setting up Event Enrichment for CloudTrail Lake

Event enrichment for CloudTrail Lake will store the information in a field called eventcontext. In this field you will find information related to resource and principal tags. Please also note that this new feature can increase the overall size of the CloudTrail event which will incur additional cost.

In this sample scenario we will be showing how to setup event enrichment for CloudTrail Lake within an existing event data store.

  1. Navigate to the CloudTrail console.
  2. In the left-hand navigation menu, choose Lake.
  3. Choose the Event Data Stores.
  4. Choose your Event Data Store for CloudTrail events.
  5. Under Event context, choose Edit.
  6. Under Add resource and principal tag keys, will add the below resource tag keys.
    • Environment
    • Team
    • DataClassification
  1. We can also include choose to Add IAM global condition keys. For this example we will only be using resource tags.
Enrich events configuration section of new event data store for CloudTrail Lake

Figure 1: AWS CloudTrail Enrich events

  1. Choose Save changes.

CloudTrail Lake will start to record all tags for resources within the event that contains the tag keys we defined under the event context section. (Note: This feature can also be setup in a new event data store.)

Analyzing changes to S3 resources using Event Enrichment

Next, we will use CloudTrail Lake, to query for any DeleteObject and Putobject events for Amazon S3 related to a specific tag.

  1. Navigate to the CloudTrail console.
  2. In the left-hand navigation menu, choose Lake.
  3. Choose Query.
  4. Copy the below query and paste it into your editor window. (Note: you must replace $EDS_ID with the id of your event data store. Also, you can adjust the eventtime for the time range you would like to query)

SQL Query:

SELECT eventtime, eventName, substr(userIdentity.arn, strpos(userIdentity.arn, '/') +1) as IAM,
eventContext.tagContext.resourceTags[1].tags as tags,
eventContext.tagContext.resourceTags[1].arn as resourceArn, 
element_at(requestParameters, 'key') as S3Object
FROM $EDS_ID
WHERE eventContext IS NOT NULL
AND eventSource = 's3.amazonaws.com'
AND eventname in ('DeleteObject', 'PutObject')
AND eventtime >= '2025-06-02 00:00:00'
AND eventtime <= '2025-06-02 23:59:59'
  1. Click Run and then your results will show under Query Results.
CloudTrail Lake query results

Figure 2: AWS CloudTrail query results

The query results show API actions for DeleteObject and Putobject events from Amazon S3, including the associated tags for these resources that where defined withing the event context for the event data store. We can then filter down this query further by only including events where the DataClassification was set to sensitive. The following query will display all related API activity for resources that contains this tag.

SQL Query:

SELECT eventtime, eventName, substr(userIdentity.arn, strpos(userIdentity.arn, '/') +1) as IAM,
element_at(eventContext.tagContext.resourceTags[1].tags, 'DataClassification') as DataClassification,
eventContext.tagContext.resourceTags[1].arn as resourceArn, element_at(requestParameters, 'key') as S3Object
FROM $EDS_ID
WHERE eventContext IS NOT NULL
AND element_at(eventContext.tagContext.resourceTags[1].tags, 'DataClassification') = 'sensitive'
AND eventSource = 's3.amazonaws.com'
AND eventname in ('DeleteObject', 'PutObject')
AND eventtime >= '2025-06-02 00:00:00'
AND eventtime <= '2025-06-02 23:59:59'
CloudTrail Lake query results

Figure 3: AWS CloudTrail query results

You can also use the CloudTrail Lake query generator to produce a query that can display events related to the resource tags you defined. For example, you can enter prompts like “Show me all S3 changes with the resource tag Environment that has the value of prod.” CloudTrail Lake query generator will then display a similar query to the one below.

SQL Query:

SELECT *
FROM $EDS_ID
WHERE eventCategory = 'Management'
AND eventSource IN ('s3.amazonaws.com', 's3-control.amazonaws.com')
AND eventtime >= '2025-06-02 00:00:00'
AND eventtime <= '2025-06-02 23:59:59'
AND any_match(
eventContext.tagContext.resourceTags,
rt->element_at(rt.tags, 'Environment') = 'prod'
)

Creating Actionable Insights using CloudTrail Lake dashboards

With event enrichment for CloudTrail Lake, you can build more meaningful visualizations. Below are some examples of the type of visualizations you can create using CloudTrail Lake dashboards.

  • API activity by application/team
  • Resource changes by environment
  • Access patterns by user type

Let’s create a custom widget for S3 Activity related to the Sensitive Data Classification and add it to a CloudTrail Lake dashboard.

  1. Navigate to the CloudTrail console.
  2. In the left-hand navigation menu, choose Lake.
  3. Choose Query.
  4. Copy the below query and paste it into your editor window. (Note: you must replace $EDS_ID with the id of your event data store. Also, you can adjust the eventtime for the time range you would like to query)

SQL Query:

SELECT count(*) as count, eventName, substr(userIdentity.arn, strpos(userIdentity.arn, '/') +1) as IAM,
element_at(eventContext.tagContext.resourceTags[1].tags, 'DataClassification') as DataClassification,
eventContext.tagContext.resourceTags[1].arn as resourceArn, element_at(requestParameters, 'key') as S3Object
FROM $EDS_ID
WHERE eventContext IS NOT NULL
AND element_at(eventContext.tagContext.resourceTags[1].tags, 'DataClassification') = 'sensitive'
AND eventSource = 's3.amazonaws.com'
AND eventname in ('DeleteObject', 'PutObject')
AND eventtime >= '2025-05-29 00:00:00'
AND eventtime <= '2025-05-29 23:59:59'
GROUP BY eventName,
substr(userIdentity.arn, strpos(userIdentity.arn, '/') +1),
element_at(eventContext.tagContext.resourceTags[1].tags, 'DataClassification'),
eventContext.tagContext.resourceTags[1].arn,
element_at(requestParameters, 'key')
  1. Click Run and then your results will show under Query Results.
  2. Choose Visualizer tab.
  3. Under the Chart setting section, select Bar Chart as the chart type.
  4. For Label parameter, choose eventName and for Value choose Count.
  5. Choose Add to dashboard.
  6. Enter S3 Activity for Sensitive Data Classification widget title.
  7. Choose Create a new dashboard and choose Create dashboard.
  8. Enter S3-Activity for name of the dashboard.
  9. Choose Create dashboard.
CloudTrail Lake dashbaord for S3 activity

Figure 4: AWS CloudTrail Dashboard

Cleanup

To prevent incurring additional charges, remove the CloudTrail Lake resources that were created during this walkthrough.

Conclusion

Event enrichment makes CloudTrail Lake an even more powerful tool for security and compliance teams. The additional context helps you better understand and analyze account activity. In this post we demonstrated how to use event enrichment for CloudTrail Lake to help provide an audit trail for resources based on resource tags. Then, we demonstrated how to leverage CloudTrail Lake dashboards to build out visualizations to provide more meaning actionable insights related to your resources. To learn more about how you can use CloudTrail Lake event enrichment, please take a look at our documentation.

About the authors

Isaiah Salinas

Isaiah Salinas is a Senior Specialist Solution Architect with the Cloud Operations Team. With over 10 years of experience working with AWS technology, Isaiah works with customers to design, implement, and support complex cloud infrastructures. He also enjoys talking with others about how to use AWS services to provide solutions to their problems.